RabbitMQ FIPS Cipher

39 views
Skip to first unread message

Satheesh Kumar

unread,
Oct 20, 2023, 3:59:37 AM10/20/23
to rabbitmq-users
Hi

I have compiled and built OpenSSL and Erlang in FIPS mode and on top of that installed RabbitMQ. when I tried to start rabbitmq I got an error with ciphers

OpenSSL: 3.0.8
Erlang: 26.1.2
RabbitMQ 3.12.7

I am able to verify the below Erlang

iScreen Shoter - 20231020131842358.jpg

runrabbitmq.sh
In the below file I am passing CIPHERS to RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS
export OPENSSL_FIPS=1
export OPENSSL_CONF=/usr/local/ssl/openssl.cnf
export OPENSSL_MODULES=/usr/local/lib64/ossl-modules
export LD_LIBRARY_PATH=/usr/local/lib/:/usr/local/lib64/
export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig/


if [ "$CLUSTERING" != false ]; then
hostIP=$(curl --connect-timeout 10 http://169.254.169.254/latest/meta-data/local-ipv4)

export RABBITMQ_USE_LONGNAME=true
rabbitmq-plugins enable --offline rabbitmq_peer_discovery_k8s
fi

# Erlang SSL

CIPHERS='ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256'
export ERL_SSL_PATH=/usr/local/lib/erlang/lib/ssl-11.0.3/ebin
export RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="-pa ${ERL_SSL_PATH} -proto_dist inet_tls -ssl_dist_opt server_certfile /etc/rabbitmq/ssl/server.pem -ssl_dist_opt server_keyfile /etc/rabbitmq/ssl/server.key -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true -ssl_dist_opt server_ciphers ${CIPHERS}"


# Logs to stdout
export RABBITMQ_LOGS=-
export RABBITMQ_SASL_LOGS=-

# ERL VM tuning
export RABBITMQ_SCHEDULER_BIND_TYPE=ts


export RABBITMQ_VERSION=3.12.7
export RABBITMQ_HOME=/srv/rabbitmq_server-${RABBITMQ_VERSION}
#replace the rabbitmq service_name and hostname_suffix
sed -i "s/REPLACE_SERVICE_NAME/$K8S_SERVICE_NAME/g" ${RABBITMQ_HOME}/etc/rabbitmq/rabbitmq.conf
sed -i "s/REPLACE_HOSTNAME_SUFFIX/$K8S_HOSTNAME_SUFFIX/g" ${RABBITMQ_HOME}/etc/rabbitmq/rabbitmq.conf

echo "rabbitmq hostname $K8S_HOSTNAME_SUFFIX"
echo "and service name $K8S_SERVICE_NAME"

sleep 10 &
wait $!
#service account token is mounted at location and described in rabbitmq.conf as k8s_token_path
cp -f -v /var/run/secrets/kubernetes.io/serviceaccount/token /etc/rabbitmq/ssl/token
cp -f -v /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /etc/rabbitmq/ssl/ca.crt
cp -f -v /var/run/secrets/kubernetes.io/serviceaccount/namespace /etc/rabbitmq/ssl/namespace

podName=`hostname -f`
export RABBITMQ_NODENAME=rabbit@$podName

# RMQ server process so we can tail the logs
# to the same stdout
rabbitmq-server &



Getting Below Error

2023-10-20 07:53:36.731505+00:00 [error] <0.866.0> Cannot accept TLS distribution connection: Invalid TLS option: {ciphers,["ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256"]}
2023-10-20 07:53:36.731505+00:00 [error] <0.866.0>


May I know what are valid FIPS ciphers for RabbitMQ for TLS 1.2?

Luke Bakken

unread,
Oct 20, 2023, 9:47:11 AM10/20/23
to rabbitmq-users
Hello,

You are not using the correct format for the ciphers.


I also strongly suggest using the rabbitmq.conf file to configure RabbitMQ, rather than RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS

Finally, there is a Kubernetes Operator for RabbitMQ - https://www.rabbitmq.com/kubernetes/operator/operator-overview.html

Thanks,
Luke

Satheesh Kumar

unread,
Oct 20, 2023, 11:45:38 AM10/20/23
to rabbitmq-users
Hi Luke,

I tried to execute the commands for finding cipher but got below error


/ $ rabbitmq-diagnostics cipher_suites --format openssl -q
Error: unable to perform an operation on node 'rab...@test.svc.cluster.local'. Please see diagnostics information and suggestions below.

Most common reasons for this are:

* Target node is unreachable (e.g. due to hostname resolution, TCP connection or firewall issues)
* CLI tool fails to authenticate with the server (e.g. due to CLI tool's Erlang cookie not matching that of the server)
* Target node is not running

In addition to the diagnostics info below:

* See the CLI, clustering and networking guides on https://rabbitmq.com/documentation.html to learn more
* Consult server logs on node rab...@test.svc.cluster.local
* If target node is configured to use long node names, don't forget to use --longnames with CLI tools

DIAGNOSTICS
===========

attempted to contact: ['rab...@test.svc.cluster.local']

rabbit@test.svc.cluster.local:
* connected to epmd (port 4369) on test.svc.cluster.local
* epmd reports: node 'rabbit' not running at all
no other nodes on test.svc.cluster.local
* suggestion: start the node

Current node details:
* node name: 'rabbitmqcli...@test.svc.cluster.local'
* effective user's home directory: /home/ironfist
* Erlang cookie hash: z0CZ8wlEB4HFdxH01POdWQ==

/ $ rabbitmq-diagnostics cipher_suites --format erlang -q
Error: unable to perform an operation on node 'rabbit@test.svc.cluster.local'. Please see diagnostics information and suggestions below.

Most common reasons for this are:

* Target node is unreachable (e.g. due to hostname resolution, TCP connection or firewall issues)
* CLI tool fails to authenticate with the server (e.g. due to CLI tool's Erlang cookie not matching that of the server)
* Target node is not running

In addition to the diagnostics info below:

* See the CLI, clustering and networking guides on https://rabbitmq.com/documentation.html to learn more
* Consult server logs on node rabbit@test.svc.cluster.local
* If target node is configured to use long node names, don't forget to use --longnames with CLI tools

DIAGNOSTICS
===========

attempted to contact: ['rabbit@test.svc.cluster.local']

rab...@test.svc.cluster.local:
* connected to epmd (port 4369) on test.svc.cluster.local
* epmd reports: node 'rabbit' not running at all
no other nodes on test.svc.cluster.local
* suggestion: start the node

Current node details:
* node name: 'rabbitmqcli-802-rabbit@test.svc.cluster.local'
* effective user's home directory: /home/ironfist
* Erlang cookie hash: z0CZ8wlEB4HFdxH01POdWQ==

Luke Bakken

unread,
Oct 21, 2023, 11:42:15 AM10/21/23
to rabbitmq-users
Emphasis is mine:

attempted to contact: ['rab...@test.svc.cluster.local']

rab...@test.svc.cluster.local:
  * connected to epmd (port 4369) on test.svc.cluster.local
  * epmd reports: node 'rabbit' not running at all
                  no other nodes on test.svc.cluster.local
  * suggestion: start the node


Reply all
Reply to author
Forward
0 new messages